__group__ ticket summary owner component _version priority severity milestone type _status workflow _created modified _description _reporter
Next Release 38903 Prevent `update_option()` from updating when the old and new values contain identical objects. peterwilsoncc General 2.0 normal normal 4.8 defect (bug) assigned has-patch 2016-11-22T12:12:51Z 2016-12-09T16:44:18Z "When an object is included in an option, passing an unchanged value to `update_option` will trigger an UPDATE query.
Given the data below, the `meta_data` will have a different resource ID for the old and new values. `$value === $old_value` will always evaluate untrue and the database will be updated and the caches cleared.
{{{
array(2) {
[""url""]=>
string(85) ""http://src.wordpress-develop.dev/wp-content/uploads/2016/10/cropped-Blurry-Lights.jpg""
[""meta_data""]=>
object(stdClass)#370 (3) {
[""attachment_id""]=>
int(292)
[""height""]=>
int(708)
[""width""]=>
int(1260)
}
}
}}}
Followup from #38866, props due @bradyvercher for finding." peterwilsoncc
Future Releases 38708 Unify email length checks General normal normal Future Release enhancement new 2016-11-08T06:48:47Z 2016-11-09T03:15:44Z "Right now, the comment form checks for 6 characters minimum for email addresses. In #38506, we updated the REST API to do the same.
We should update `is_email()` to include this check, or change the other checks to match `is_email()`. It makes no real sense to have the check in two places." rmccue
Future Releases 38702 REST API: Add accessor functions for post_status and post_parent REST API 4.7 normal normal Future Release enhancement new 2016-11-08T02:26:23Z 2016-11-08T02:26:23Z "In order to enable better permission checks for Customiser Changesets, these need to be filterable.
See [https://github.com/xwp/wp-customize-snapshots/issues/32 xwp/wp-customize-snapshots#32]. Split from #38701." rmccue
Future Releases 38641 Support partial ISO8601 dates in queries REST API 4.7 normal normal Future Release enhancement new 2016-11-03T01:17:39Z 2016-11-30T00:48:58Z "Right now, we support sending `date` or `modified` with a full ISO 8601 date (`yyyy-mm-ddThh:ii:ssZ`), and we also support `before` and `after`. However, there's no easy way to get posts for a certain month, without building the `before` and `after` yourself.
[https://en.wikipedia.org/wiki/ISO_8601 ISO 8601] gives us a way to specify partial dates: `yyyy` and `yyyy-mm` are both valid, and we could totally support them. This avoids the need for a separate `year` or `month` query parameter. Internally, this can map to `before` and `after` values." rmccue
Future Releases 38597 Discourage usage of legacy properties in WP_Network jeremyfelt General 4.6 normal normal Future Release enhancement reviewing has-patch 2016-10-31T20:48:29Z 2016-11-02T21:23:40Z "`@property`'s is for magic properties: https://phpdoc.org/docs/latest/references/phpdoc/tags/property.html
Since `$id` isn't magic, let's remove the `@property` documentation.
See: #37050" johnjamesjacoby
Future Releases 38474 wp_signups.activation_key stores activation keys in plain text Security 4.6.1 normal normal Awaiting Review enhancement new 2016-10-24T16:17:29Z 2016-11-30T15:07:21Z "== Steps
1. Visit /wp-admin/user-new.php (on a multisite installation - I haven't tested on single site)
2. Fill out the ""Add New User"" form but do not check the ""Skip Confirmation Email"" checkbox
3. The user will be sent an email containing a link to /wp-activate.php?key=7259c714857ef009
== Actual behaviour
This key is stored in the database unencrypted:
{{{
mysql> select activation_key from wp_signups where signup_id=4;
+------------------+
| activation_key |
+------------------+
| 7259c714857ef009 |
+------------------+
1 row in set (0.00 sec)
}}}
== Expected behaviour
wp_users.user_activation_key contains a timestamp and a hash of the key. wp_signups.activation_key is no less important to security and so should include these security features too." tomdxw
Future Releases 38342 Quick Draft: Leverage REST API endpoints joehoyle Administration normal normal Future Release enhancement assigned has-patch 2016-10-18T13:54:21Z 2016-12-09T19:05:19Z "If the REST API content endpoints were in core, how would we rebuild core features (like Quick Draft) to use it? I am opening this ticket to track work on converting the Quick Draft feature to using the REST API.
The quick draft feature is a meta box on the Dashboard for creating draft posts:
[[Image(https://cl.ly/0l1n311M3T1e/Dashboard__WordPress_Dev__WordPress_2016-10-18_09-37-07.jpg)]]
Quick Draft currently uses a simple form to post to `post.php` and create a the draft. The goal of this ticket would be to switch this action to JavaScript and the REST API. In addition, we would switch the list of recent drafts below the form to load via the API and render dynamically as well as adding a progress indicator and confirmation/error message. Note that the form is already hidden if JavaScript isn't available.
Aaron Rutley has already coded a POC version here: https://github.com/AaronRutley/quick-rest-draft
" adamsilverstein
Future Releases 38133 "Core widget fields fail to render value of ""0"" when empty() checks are used" stevenkword Widgets 2.6 normal normal Future Release defect (bug) reviewing has-patch 2016-09-22T19:52:55Z 2016-11-02T22:42:15Z "If you put a single zero 0 the instance property for in many default widgets, it won't output any thing if an `empty()` check is used since `empty( '0' ) === true`. You can try putting a 0 in any widget title or content. It works if you put 00 or anything else.
The reason being our use of `empty( $variable )` and `! empty( $variable )` in the default widgets. `empty` returns FALSE if var exists and has a non-empty, non-zero value.
So it will be better to use `isset( $variable) && $variable != ''` instead. Wanted to submit a patch but wanted to know if above method will be the best one." hardeepasrani
Future Releases 37873 Consolidate customizer CSS mrahmadawais Customize normal minor Future Release defect (bug) assigned 2016-08-29T22:43:58Z 2016-10-15T02:07:27Z "There is a lot of rule duplication in the customizer's CSS, as well as separate files for nav menus and widgets. Much of the UI is very similar or the same, so it seems worth coming up with some standard names for those visual components. We should also consider whether it's worth maintaining those separate files.
This will almost certainly impact JS and possibly plugins, so we should research that as well.
Previously: #34333" helen
Future Releases 37868 Avoid default width styles in the markup of the audio player wonderboymusic Embeds 4.6 normal normal Future Release enhancement assigned has-patch 2016-08-29T18:51:47Z 2016-10-03T22:37:28Z "The markup for every audio player contains inline styles for setting its width to 100%, like below (simplified):
{{{

}}}
Why not move that style to a stylesheet? It is the default style for ''every'' audio player, so let’s not repeat ourselves each time. Moreover, style attributes in the HTML make it hard to override styles. If you don’t want your audio player to be 100% wide you’re left with two ugly options:
a) Use `!important` declarations in your own stylesheet to override it.
b) Filter out the default width like this:
{{{
add_filter( 'shortcode_atts_audio', 'my_shortcode_atts_audio', 10, 4 );
function my_shortcode_atts_audio( $out, $pairs, $atts, $shortcode ) {
$out['style'] = preg_replace( '~(?:^|\s)width\s*+:\s*+100%;?~i', '', $out['style'] );
return $out;
}
}}}
" GeertDD
Future Releases 37790 Post editing sidebar does not always act sticky Editor 4.6 normal normal Awaiting Review defect (bug) new has-patch 2016-08-23T14:38:32Z 2016-11-30T15:08:44Z "= Situation 1 (works fine) =
1. Go to the new post page (`/wp-admin/post-new.php`).
2. Paste enough lorem ipsum into the visual editor that the page is able to scroll.
3. Scroll down.
Expected and actual behaviour:
`#side-sortables` gets `position: fixed` and sticks to the viewport as you scroll down the page
= Situation 2 (does not work) =
1. Add metaboxes to the post type (enough so that the page will scroll - ACF is an easy way to do this, or you could just install a bunch of plugins, or manually create the metaboxes).
2. Go to the new post page.
3. Scroll down.
(Make sure your viewport is taller than the editor).
Expected behaviour:
Just like the other situation, `#side-sortables` should get `position: fixed` and stick to the viewport as you scroll down the page.
Actual behaviour:
Nothing happens to `#side-sortables` and the sidebar does not follow the viewport as the user scrolls.
----
This happens because in `wp-admin/js/editor-expand.js` it compares the height of the ''editor'' against the height of the viewport.
{{{
// Sidebar pinning
if ( $postboxContainer.width() < 300 && heights.windowWidth > 600 && // sidebar position is changed with @media from CSS, make sure it is on the side
$document.height() > ( $sideSortables.height() + postBodyTop + 120 ) && // the sidebar is not the tallest element
heights.windowHeight < editorHeight ) { // the editor is taller than the viewport
}}}
It should compare the height of the whole page instead. i.e.:
{{{
heights.windowHeight < $('#poststuff').outerHeight() ) { // the page content is taller than the viewport
}}}
Attached a diff (make sure to do `define('SCRIPT_DEBUG', true);`when using this diff as I didn't recompile the JS)." tomdxw
Future Releases 37708 `wp_http_supports()` doesn't reflect what Requests can do HTTP API 4.6 normal normal Future Release defect (bug) new 2016-08-18T04:36:47Z 2016-11-02T23:00:06Z "While reviewing what parts of `WP_HTTP` can be removed in #37705, I noticed that `wp_http_supports()` still performs it's checks against the `WP_HTTP` transports rather than querying against Requests to see if the request can be performed or not.
The only capability which we supported was `ssl`.
Three options:
1. Query SSL ability against Requests (if it supports that)
1. Deprecate and always `return true;`
1. Implement a small check to see if SSL requests will be able to proceed, checking for cURL features or openssl being available (and all the other streams requirements being satisfied).
The above options are in my order of preferences, we should support it if possible, but I'm not afraid of just no-oping the function.
Marking for 4.7, with the potential for 4.6.x backporting." dd32
Future Releases 37082 Remove (most) uses of create_function() from core rmccue General normal normal Future Release enhancement assigned has-patch 2016-06-12T16:57:51Z 2016-11-03T02:07:34Z "There are currently five uses of create_function() in WP core. Four of them may be trivially refactored into simpler, more secure, and (marginally) more performant versions which do not use create_function() while still retaining PHP 5.2.0 compatability.
The fifth use, in wp-includes/pomo/translations.php relies on arbitrary code evaluation and can't be trivially refactored, so it's been left out of this issue." sgolemon
Future Releases 37068 wp_unique_post_slug() should accept `$post` parameter rather than post properties Posts, Post Types normal normal Future Release enhancement new has-patch 2016-06-10T03:30:31Z 2016-08-31T22:09:29Z "Breaking this ticket off from #20419.
The function signature for `wp_unique_post_slug()`' is currently:
{{{
function wp_unique_post_slug( $slug, $post_ID, $post_status, $post_type, $post_parent )
}}}
This is a departure from `wp_unique_term_slug()`, which accepts two parameters: `$slug` and `$term` (where `$term` is a term object). For greater consistency, we should prefer a post object in `wp_unique_post_slug()`.
There are also some cases where the current function signature requires weird hacks, such as when generating sample permalinks. See #20419. Another argument for standardizing the signature.
Latest patch is at https://core.trac.wordpress.org/attachment/ticket/20419/20419.5.diff" boonebgorges
Future Releases 37009 When two different tags generate the same slug, the second tag is rejected boonebgorges Taxonomy 4.5.2 normal normal Future Release defect (bug) assigned 2016-06-03T00:59:03Z 2016-08-31T22:07:36Z "When two different tags result in the same slug, instead of the slugs being made unique the second tag is discarded and treated as if it were the first. Here's an example:
1) Add the tag ""$4 gas"" to a post, via the post edit screen.
2) Update the post.
3) Verify that the term ""$4 gas"" is added to the wp_terms table with ""4-gas"" as its slug and that the tag is displayed with the post on the edit screen.
4) Add the tag ""#4 gas"" (or ""#4-gas or similar) to the post, via the post edit screen.
5) Update the post.
6) Note that the term ""#4 gas"" has not been added to the wp_terms table and the tag is not displayed with the post.
Also, if you try to add ""#4 gas"" to any post, you'll get ""$4 gas"" instead.
(I realize this example sounds silly, but with the many tags based on words in different languages or brands, unique tags can result in the same slug.)
It seems that what should happen in this case is that if the original tags are actually unique, the second one should get a unique slug (with something like '-2' appended).
I'm using WordPress 4.5.2 with all plug-ins deactivated." michael.costanza
Future Releases 36784 wp_update_comment should work with meta Comments 4.4 normal normal Future Release enhancement new has-patch 2016-05-08T14:45:03Z 2016-10-15T16:38:03Z "Since 4.4, wp_insert_comment allows you to pass through meta that will be added to the new comment...
{{{
// If metadata is provided, store it.
if ( isset( $commentdata['comment_meta'] ) && is_array( $commentdata['comment_meta'] ) ) {
foreach ( $commentdata['comment_meta'] as $meta_key => $meta_value ) {
add_comment_meta( $comment->comment_ID, $meta_key, $meta_value, true );
}
}
}}}
I have found this very useful in simplifying my new comment construction.
Suggesting the same code be added to wp_update_comment, except using update_comment_meta, to mirror the functionality." dshanske
Future Releases 36561 Deprecated notices should be classified as such. General normal normal Awaiting Review enhancement new has-patch 2016-04-17T11:16:42Z 2016-10-31T07:21:39Z "All errors triggers should be classified with the appropriate error level.
Most notably, the `_deprecated_function()`/`_deprecated_constructor()`/`_deprecated_file()`/`_deprecated_argument()`/`_doing_it_wrong()` function do not pass an appropriate error level to `trigger_error()`.
For the deprecated function group, the most appropriate level seems to be `E_USER_DEPRECATED` which was introduced in PHP 5.3.0.
For `_doing_it_wrong()` an `E_USER_NOTICE` (or `E_USER_WARNING`) seems more appropriate.
Fixed in the accompanying patch.
For backward compatibility with PHP 5.2, a define for `E_USER_DEPRECATED` has been added to `wp-includes/compat.php` which follows the same logic as used in SimplePie for consistency:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/class-simplepie.php#L699
" jrf
Future Releases 36514 posting with custom taxes helen Taxonomy 4.2 normal normal Future Release defect (bug) reviewing dev-feedback 2016-04-13T17:55:33Z 2016-11-11T16:58:15Z "Sorry for my bad english.
Seems there is a bug in wp-admin/includes/post.php on line 348.
Need for use
{{{#!php
'include' => $term,
}}}
instead
{{{#!php
'name' => $term,
}}}
Now it causes errors when saving posts within custom non-hierarchical taxonomies - WordPress by mistake spontaneously creates new items which has names like id's cheked items." hokku
Future Releases 36508 Call cache_users() when 'fields'=>'all' in WP_User_Query boonebgorges Users normal normal Future Release defect (bug) reviewing has-patch 2016-04-13T12:07:32Z 2016-08-31T21:55:59Z "Because roles and caps are populated (r32001), which is a meta call, we should proactively call `cache_users()` and pre-empt dozens of unnecessary meta SELECTs.
cc @boonebgorges " danielbachhuber
Future Releases 36342 No check to validate supplied author in export_wp() Export 3.1 normal normal Awaiting Review defect (bug) new 2016-03-25T22:51:41Z 2016-04-18T02:57:24Z One of the options for `export_wp()` is to filter by author, but that filter option is not validated, it's used verbatum in the wpdb call. This should be validated first no? theMikeD
Future Releases 36257 REST API: It's difficult to impossible to determine the endpoint matched to a request rmccue REST API normal normal Future Release enhancement assigned 2016-03-15T23:14:18Z 2016-11-07T04:49:59Z "Originally raised in Slack - https://wordpress.slack.com/archives/core-restapi/p1457730713002298
It is really difficult (and sometimes impossible) to get good information about the route/endpoint that was matched to a request.
You can inspect `$handler['callback']` in `'rest_dispatch_request'`, which gives the function that will handle the endpoint. In `'rest_post_dispatch'` you can get the URL regex that was matched. BUT none of that works if an error occurred in `'rest_authentication_errors'`, because the request is never dispatched.
A couple of cases where we need to match up requests to endpoints on WordPress.com:
1. Restricting access to certain endpoints. As far as I can tell, this is only possible by inspecting `$handler['callback']` during e.g. `'rest_dispatch_request'` and looking at the class and method name of the callback. (This also has the drawback that you can't prevent the endpoint's `permission_callback` from being called. To get around this, we use the filters added in #35590.)
2. Monitoring of endpoint calls, response times, etc. Getting the matched route regex, like `/wp/v2/posts/(?P[\d]+)`, is possible by listening on the `'rest_post_dispatch'` filter, but as mentioned above, this doesn't work if an error occurs in `'rest_authentication_errors'`, so we've had to move all of our auth logic out of `'rest_authentication_errors'` because we want to know which endpoints have failing auth.
Suggested improvements:
1. Make it possible to consistently and easily get info about the route that was matched up to a request, including the various URL pieces.
2. Still dispatch a request, or at least match it up to what the route would have been, if an error happens in `'rest_authentication_errors'`." jnylen0
Future Releases 35991 Adding support of terms meta to XML-RPC XML-RPC normal normal Future Release enhancement new has-patch 2016-02-29T00:31:36Z 2016-08-31T21:49:31Z "Since I'd need to do a batch custom taxonomy import (with additional meta terms) via XML-RPC, unfortunately I noticed that it seems that the XML-RPC doesn't allow to handle terms meta as introduced in 4.4.
This patch aims to add the support of terms meta to XML-RPC, specifically for `wp.addTerm`, `wp.getTerms`, `wp.editTerm` and `wp.editTerms` methods, in same way the API does with post custom fields.
The patch is a starting point and probably has to be revised since it assumes the fine-grained caps for taxonomy terms (see [ticket:35614]).
Also, the patch add the new `has_term_meta()` function to ''taxonomy.php'' in order to return also meta term IDs that could be needed in subsequent XMP-RPC `wp.editTerm` calls." enrico.sorcinelli
Future Releases 35501 "Dashboard page: incorrect work of ""Activity"" group box bottom counters" adamsilverstein Comments 4.4.1 normal normal Future Release defect (bug) assigned has-patch 2016-01-17T21:22:17Z 2016-09-01T15:32:29Z "STEPS TO REPRODUCE
Create new post, add comment through front end, go to dashboard page, click showed up menu items Approve/Unapprove/Spam/Trash in different combinations:
- click ""Approve"" and quick click ""Trash"",
- click ""Unapprove"" and quick click ""Trash""
- quick click ""Approve"" twice
EXPECTED RESULT: bottom counters ""All"", ""Pending"", ""Approved"", ""Spam"", ""Trash"" counts correct.
ACTUAL RESULT: see attachment." antonrinas
Future Releases 35430 Should the 'counts' cache group be persistent? Cache API 4.4 normal normal Future Release enhancement new needs-unit-tests 2016-01-13T02:58:54Z 2016-10-03T22:34:32Z I checked that the places storing data in the `'counts'` cache group have proper way to delete the data in cache on updates. For example, `wp_count_posts()` stores the post count, and `_transition_post_status()` deletes the count. So could we change the `'counts'` cache group to be persistent? This can reduce the repeated counting queries to the database. wjywbs
Future Releases 35075 Comment cache ignores custom query vars boonebgorges Comments normal normal Future Release defect (bug) assigned has-patch 2015-12-14T14:41:42Z 2016-04-27T21:04:49Z "It's currently very possible to add custom query vars to the get_comments function, for themes and plugins to extend. A problem occurs, however, if the function is being used and a custom query var is being used, but no standard ones are changing. This is because it caches the first query, and every subsequent query is then assumed to be the same since custom query vars are ignored.
I first thought about just using the entire query_vars array for caching, but decided there's probably a reason this wasn't done. So instead I decided it would make the most sense to make a filter for the cache keys so a plugin/theme can add its own keys that should be considered for caching." jason_the_adams
Future Releases 34981 Usage of `image_size_names_choose` breaks JS attachment model attributes joemcgill Media 4.3.1 normal normal Future Release defect (bug) assigned has-patch 2015-12-10T16:31:31Z 2016-11-02T20:19:40Z "Here's a small use case that shows how the issue arise.
I want to limit the options of image sizes in the default media modal to so I use the filter `image_size_names_choose` provided in `wp-admin/includes/media.php` and remove the sizes `thumbnail` and as well as `medium`. This brings me the expected result:
[[Image(https://naber.pegasus.uberspace.de/fs/public/images/2015/limit-attachment-sizes.png)]]
With this I have now the problem, that for every thumbnail image in the media library (mode: grid) the large image source is used which is a performance issue if there are more than a couple of images in the library.
The reason is, that the same filter `image_size_names_choose` is also applied to each image in `wp_prepare_attachment_for_js()` and therefore the attachment model does not reflect all available image sizes (`console.log( attachment.sizes )`:
[[Image(https://naber.pegasus.uberspace.de/fs/public/images/2015/attachment-model-sizes.png)]]
Here's a plugin that reproduces the issue in a clean WordPress (4.4) install:
`wp-content/plugins/image_sizes_issue/image_sizes_issue.php`:
{{{#!php
Reading. We should also change over the text in wp-signup.php. Currently, the option reads as install did before:
{{{
Privacy:
Allow search engines to index this site.
[Yes] [No]
}}}
With Twenty Sixteen:
[[Image(http://f.cl.ly/items/1C2x3x2W0V0P1C2d3010/Screen%20Shot%202015-10-04%20at%205.03.20%20PM.png)]]" DrewAPicture
Future Releases 32768 Customizer Widgets and Themes search improvements valendesigns Customize 4.2 normal normal Future Release enhancement assigned 2015-06-23T18:06:29Z 2015-11-23T14:11:30Z "Widgets and Themes search would need the same improvements done for the Menu Customizer.
Widgets:
- activating ""Add a Widget"" with the Space bar doesn't prevent the default action, as a result the search field gets a space character and the placeholder text is gone. See https://github.com/voldemortensen/menu-customizer/issues/107
Both:
- the search results (or no results) should be announced to assistive technologies, possible use case for wp.a11y.speak see #32720
- a short description of the ""live"" search functionality could help, see the Menu items search in core, i.e.: aria-describedby=""menu-items-search-desc""" afercia
Future Releases 31616 Splitting request_filesystem_credentials into separate functions Filesystem API normal normal Future Release enhancement new has-patch 2015-03-12T21:30:31Z 2015-12-22T09:45:57Z "This allows for more efficient and more readable uses.
Needed for Automatic_Upgrader_Skin and Shiny Updates." jipmoors
Future Releases 31518 WP_User::has_cap and 'map_meta_cap' filter johnbillion* Role/Capability 2.0 normal normal Future Release defect (bug) accepted 2015-03-03T20:34:51Z 2016-10-30T11:45:26Z "{{{
add_filter('map_meta_cap', function(){return array();}, 1,0 ); //�
new line
}}}
'''Quick Test:'''
{{{
$pee = ""

�\n
}}}
'''Solution:'''
Use [\r\n\t ] rather than \s." tenpura
Future Releases 27266 Front end search for attachment title cannot succeed Query 2.9 normal normal Future Release defect (bug) new has-patch 2014-03-03T20:58:32Z 2016-09-02T19:35:35Z "This is somewhat related to ticket #22556 but affects all queries that use the keyword search parameter, 's'.
Typing an attachment's title into the ""front end"" search box generated this query:
{{{
SELECT SQL_CALC_FOUND_ROWS wp_posts.ID
FROM wp_posts
WHERE 1=1
AND (((wp_posts.post_title LIKE '%Guatemala%')
OR (wp_posts.post_content LIKE '%Guatemala%'))
AND ((wp_posts.post_title LIKE '%IRF3%')
OR (wp_posts.post_content LIKE '%IRF3%')))
AND wp_posts.post_type IN ('post', 'page', 'attachment')
AND (wp_posts.post_status = 'publish'
OR wp_posts.post_author = 1
AND wp_posts.post_status = 'private')
ORDER BY (CASE
WHEN wp_posts.post_title LIKE '%Guatemala IRF3%'
THEN 1
WHEN wp_posts.post_title LIKE '%Guatemala%'
AND wp_posts.post_title LIKE '%IRF3%'
THEN 2
WHEN wp_posts.post_title LIKE '%Guatemala%'
OR wp_posts.post_title LIKE '%IRF3%'
THEN 3
WHEN wp_posts.post_content LIKE '%Guatemala IRF3%'
THEN 4
ELSE 5 END), wp_posts.post_date DESC
LIMIT 0, 2
}}}
Although the `post_type` clause includes `attachment`, the `post_status` test always fails because attachments have a `post_status` of `inherit`." dglingren
Future Releases 26605 Appearance of recent/future posts in dashboard looks off on mobile. Administration 3.8 normal normal Future Release enhancement new has-patch 2013-12-13T13:24:18Z 2016-08-11T20:25:10Z "When viewing the dashboard on a small screen device, the layout of the date and post title in the recent/future post section of the layout of the site activity widget looks funny when the title is fairly long.
I think it might be better to have the date on a separate line.
[[Image(https://dl.dropboxusercontent.com/s/h8jpr8305isg0gy/2013-12-13%20at%2013.17%202x%20%281%29.png)]]
" mattheu
Future Releases 24795 OS X Treatment Permalinks 3.6 normal trivial Future Release enhancement new has-patch 2013-07-18T15:54:01Z 2015-03-27T17:39:51Z "Just a minor annoyance. Certain things are inherently different about using a Mac over any other Operating system. Specific to my case is keymappings. While I suspect most Mac users are smart enough to read ""Ctrl + A"" and translate that to ""CMD + A"", we should be explicit when we can.
This patch inrtroduces pluggable function is_osx() that is really basic. Sadly, relies on User Agents and so is inherently flawed, but mainly useful anyway.
Using this function, the Permalinks Options screen uses Command A instead of CTRL A when .htaccess is not writable.
A little thing but annoying enough to warrant a patch." technosailor
Future Releases 24447 Avoid losing data after nonces expire iseulde Administration normal normal Future Release defect (bug) assigned 2013-05-29T07:55:35Z 2015-11-08T22:46:15Z "Happens when an admin page containing a form is left open for more than 24 hours and the user decides to submit the form. This is quite rare for most admin pages as the users typically spend short time there. However this can happen on the Edit Post screen too despite that we refresh the basic nonces every `wp_nonce_tick` (12 hours):
- The user starts new post.
- At some point the Internet connection is lost.
- The user decides to finish later and puts the computer to sleep (closes the laptop, etc.).
- The user decides to continue writing more than 24 hours after that.
At this point all nonces have expired and cannot be updated as we've missed the previous nonce_tick update." azaozz
Future Releases 24251 Reconsider SVG inclusion to get_allowed_mime_types Upload normal normal Awaiting Review enhancement reopened 2013-05-02T19:36:57Z 2016-09-22T09:38:57Z "There are some who think SVG should be included in core as an allowed mime type. Makes fine enough sense to me, since there is a good argument for it, and we have support for WordPerfect documents...so there's that.
Related: #20990" JustinSainton
Future Releases 24160 ALTERNATE_WP_CRON runs wp_cron() too early Cron API 3.4 normal normal Future Release defect (bug) new has-patch 2013-04-22T17:48:44Z 2015-11-01T16:11:21Z "See #19818 for full details.
Then, [https://core.trac.wordpress.org/ticket/19818#comment:8 read my comment in that ticket]. Was advised to create a new ticket.
We need to run 'wp_cron' later than the default priority of 10 to allow plugins that run on this hook to properly initialize.
In the patch, I've bumped the priority to 99. Let me know what you think." r-a-y
Future Releases 23805 wp_ajax_add_menu_item() closed to user-created menu item types Menus normal normal Future Release enhancement new has-patch 2013-03-18T01:41:52Z 2016-11-02T21:50:42Z "I'm building a new Menus meta box, that can add a new type of menu item, lets call it 'foobar'.
The conditional inside `wp_ajax_add_menu_item()` is slightly off. It checks that the menu item type is not 'custom', then proceeds to assume that it's either post-type or taxonomy so it can do some DB look-ups and create an `$_object` variable which is then used. This means it's closed to other types of menu items.
I've chosen 'foobar', so I can distinguish those items later on when walking through the front-end output." GaryJ
Future Releases 23327 Cache incrementors for get_bookmarks() Cache API 3.5.1 low normal Future Release enhancement new has-patch 2013-01-30T18:24:08Z 2016-07-04T10:54:49Z "Make use of a caching incrementor and store queries in individual cache buckets to avoid memory exhaustion.
Pattern this after #23167, which does the same thing for get_pages().
See #23173 for an explanation of the motivation behind this." ryan
Future Releases 23309 Not all WP_Query::query_vars get updated during WP_Query::get_posts() Query normal normal Future Release defect (bug) new needs-unit-tests 2013-01-28T15:40:56Z 2015-12-03T18:42:18Z "There is a lot of logic within the WP_Query::get_posts() method that fills in missing query vars with defaults and manipulates others based on the rest of the query. However, some of the final states for many of the variables aren't updated in the WP_Query::query_vars array. For example, the post type is lost as a local variable and post_status is used for building compiling mysql expressions, but never directly updated.
The result is that any plugins that want to recreate the query for another system, (ie, an external search provider) must directly copy much of the business logic that WP_Query::get_posts() has embedded in it in order to fill in for the incomplete query_var array.
" prettyboymp
Future Releases 22602 Additional error handling when installing child and parent theme from WordPress.org Themes normal normal Future Release enhancement new has-patch 2012-11-27T04:35:17Z 2015-05-02T00:22:24Z See #22515 and ticket:22515#comment:6. nacin
Future Releases 22249 Add ability to set or remove attributes on enqueued scripts and styles. Script Loader normal normal Future Release enhancement assigned 2012-10-21T23:29:13Z 2016-10-12T22:46:45Z "I think it should be easier to customize the loading of scripts and styles (easier to customize the markup generated by the script/style system). Proposed solutions:
'''Solution 1:''' Allow `wp_enqueue_script`, `wp_enqueue_style`, `wp_register_script`, `wp_register_style` to accept an array of attributes as the `$src` parameter. For example:
{{{
wp_enqueue_script( 'my-plugin', array(
'src' => 'http://example.com/js/app.js'
'defer' => ''
'data-my-plugin' => 'custom data attr value'
), array('jquery'), null, true );
}}}
'''Solution 2:''' Add a filter before the markup is generated that allows devs to filter the attributes while they are in array format. For example:
{{{
add_filter('script_loader_attrs', function ($attrs, $handle) {
unset ( $attrs['type'] );
'my-plugin' === $handle and $attrs['data-my-plugin'] = 'plugin data';
$attrs['src'] = remove_query_arg( $attrs['src'] );
return $attrs;
}, 12, 2);
}}}
In class.wp-scripts.php it might look something like:
{{{
$attrs = (array) apply_filters('script_loader_attrs', $attrs, $handle);
}}}
and/or:
{{{
$attrs = (array) apply_filters(""{$handle}_script_loader_attrs"", $attrs );
}}}
----
I imagine that solution '''2''' would be easier to implement than '''1''', and '''2''' allows for themes/plugins to modify scripts/styles w/o re-registering resources.
The key feature of both solutions is the ability to modify the attrs while in array format. There are other ways that one could achieve the same results, but the array is '''by far the cleanest'''. Dirty alternatives include:
* Use `preg_replace()` on the markup after it is generated (see #22245)
* Use output buffers and PHP's DOMElement interface
* Filter away the ""print_scripts_array"" and regenerate the markupmanually.)" ryanve
Next Release 21760 get_term_by() calls are not cached ocean90 Taxonomy 2.3 normal normal 4.8 enhancement reopened 2012-08-31T21:26:22Z 2016-12-03T04:06:01Z {{{get_term()}}} is the simplest way to retrieve one term, but it requires {{{term_id}}} and {{{taxonomy}}}. Because of this, terms are cached with {{{term_id}}} as key and {{{$taxonomy}}} as bucket. As a result, you can't easily grab a term by slug, unless you use {{{get_term_by( 'slug' )}}}. {{{get_term_by( 'slug' )}}} and {{{get_term_by( 'name' )}}} don't even have a query cache, so they go to the database every time. Because you can't get a term by {{{slug}}} without hitting the db, every place you want to get a term by {{{slug}}}: you first have to transform it into a {{{term_id}}} where it will then be cached. This is inefficient because the user may query by {{{slug}}} constantly and never by {{{term_id}}}. wonderboymusic
Future Releases 21602 redirect_canonical can lead to infinite loop on index navigation if site url is not all lower case Canonical normal blocker Future Release defect (bug) assigned needs-unit-tests 2012-08-15T21:31:17Z 2016-03-23T21:54:43Z "The function redirect_canonical in wp-includes/canonical.php (WordPress 3.4.1) on line 406 and 422 makes the following check:
{{{
if ( !$redirect_url || $redirect_url == $requested_url )
return false;
}}}
This ensures that it does not attempt to redirect you to the page you requested in the first place. However this function is not case sensitive so if the redirect URL is in a different case than the requested URL then the user can enter an infinite redirect loop. (For example if the Site Address (URL) of the site is set to be in all upper case.)
This function should do a case-insensitive string comparison since domain names are case-insensitive.
The issue only appears to happen with certain plugins installed (ShareThis and PilotPress both led to this issue,) I haven't figured out yet why it's only an issue with certain plugins but it should still be fixed in WordPress to make the proper string comparison. " sreedoap
Future Releases 21022 Allow bcrypt to be enabled via filter for pass hashing Security 3.4 normal normal Future Release enhancement new dev-feedback 2012-06-20T01:34:26Z 2016-10-31T01:56:20Z "Hi,
following recent discussions on password security and how to best prevent any hackers can leverage password table they might have got I looked into the phpass used for WordPress.
While I in principle understand why WordPress uses the compatibility mode of it, I would like to see some flexibility for those who don't need the compatibility.
Thus I would propose to change in wp-includes/pluggable.php all occurances of
$wp_hasher = new PasswordHash(8, true);
to
$wp_hasher = new PasswordHash(8, apply_filters('phpass_compatibility_mode', true));
This would allow users to easily change via plugin from the ""not so secure"" compatibility mode (only salted MD5) of phpass to a more secure setting (bcrypt) in case no compatibility with other applications is required.
The plugin changing the encryption methog could then as easy as
function phpass_bcrypt() {
return false;
}
add_filter('phpass_compatibility_mode', 'phpass_bcrypt');" th23
Future Releases 20974 Remove obsolete locale-specific files on upgrade dd32 I18N 3.4 low normal Future Release defect (bug) assigned has-patch 2012-06-15T14:06:43Z 2015-11-20T01:39:17Z "We used to have `wp-content/languages/ru_RU.css` file in ru_RU package.
Since #19603, it's no longer needed, but is still left over on upgrade. We should probably include it in `$_old_files`.
I suppose the same applies to zh_CN and he_IL packages ([19825])." SergeyBiryukov
Future Releases 20902 redirect_canonical() on using permalink: Not all $_GET being redirected chriscct7 Canonical 3.4 normal normal Awaiting Review defect (bug) reviewing has-patch 2012-06-11T09:30:08Z 2015-12-06T23:16:51Z "Using permalink, I suppose that all query_var entered manually on URL or using $_GET will be redirected to proper permalink. Apparently not all being redirected at all. AFAIC:
1. /?post_format=image : should be redirected to /type/image/
2. /?pagename=blog : should be redirected to /blog/
3. /?author_name=admin : should be redirected to /author/admin/
Unfortunately, they are not.
It can be done by filtering redirect_canonical() but it will be better if it's being done by default as we can see that /?category_name=cat will be redirected to /category/cat/" arieputranto
Future Releases 20299 "Preview changes on a published post makes all post meta ""live""" adamsilverstein Revisions 3.3.1 normal major Future Release defect (bug) assigned dev-feedback 2012-03-25T02:02:16Z 2016-07-04T21:05:42Z "Here's the use case. Client wants to preview an update to a published post (as the Preview Changes button correctly implies they can). This post has some important post meta that impacts that preview.
Here's the problem - because post meta is not saved to a revision (it looks for the ""real"" post), when the preview button is pressed, save_post runs, and saves the meta data to the real, published post, even though the user only intends to preview the change.
Without realizing it, the user has updated the published version. That can be prevented by not saving post meta to revisions (when using custom save_post hooks), but then there's no non-hacky way to actually preview the full changes.
I believe this bug has been present for a while, we just rarely use the Preview function on published posts, and when we do, probably never tested it with critical post meta." jakemgold
Future Releases 19739 Filters to allow comments on draft & trash post_status posts Comments 3.3 normal normal Future Release enhancement new has-patch 2012-01-04T19:01:18Z 2016-10-30T21:23:43Z "I'd like to use comments on draft posts as part of an editorial workflow. Will this be as easy as adding a filter to fire before the current comment_on_draft action that can be checked before exiting? I'll try that and add a patch if it looks good.
Related #13276. Not relevant to #18630, I think." cyberhobo
Future Releases 18857 get_plugin_page_hookname uses menu_title to construct subpage load-hooks SergeyBiryukov* Plugins 3.1.4 normal normal Future Release defect (bug) accepted needs-unit-tests 2011-10-04T15:16:33Z 2016-11-16T11:29:14Z "The load-hook for PluginSubPages isn't working anymore if the PluginPage is translated.
The reason seems to be that the get_plugin_page_hookname function uses the menu_title instead of the menu_slug to create the hookname.
I attached a possible fix." apocalip
Future Releases 18315 Add an index to the GUID column in the posts table Database 3.2.1 normal normal Future Release enhancement reopened dev-feedback 2011-08-02T04:31:01Z 2015-12-03T20:00:00Z "Running queries on the GUID column in the posts table is slow because the column is not indexed. The attached patch adds an index.
Note, this affects ticket #18286 - I will update that ticket with appropriate patches to reflect this request." alexkingorg
Future Releases 17904 Multisite has more restrictions on user login character set jeremyfelt Login and Registration 3.0 normal normal Future Release defect (bug) assigned has-patch 2011-06-27T11:09:12Z 2016-10-20T13:04:33Z "Multisite has more restrictions on the characters allowed in a user's login name compared to single site. This seems unnecessary and confusing. It was also the root of a recent bug in the importer, see [http://wordpress.org/support/topic/invalid-author-importing-single-wordpress-to-mulitsite-wordpress?replies=21#post-2186667 this forum thread] and the [http://plugins.trac.wordpress.org/changeset/401649 workaround].
I haven't worked up a patch yet since there seem to be a few locations where these restrictions are enforced and I don't know if I have found them all yet:
- wpmu_validate_user_signup() uses the regex `/[a-z0-9]+/`
- ms-default-filters.php adds `strtolower` to `sanitize_user`
Relevant: http://mu.trac.wordpress.org/changeset/1689 [12948]" duck_
Future Releases 17771 URL-encoded comment_author_url gets broken by MySQL varchar 200 length limit SergeyBiryukov Pings/Trackbacks 3.2 normal normal Future Release defect (bug) reviewing has-patch 2011-06-12T03:46:44Z 2016-10-19T22:37:36Z "!WordPress sometimes pings back with long permalinks that exceed comment_author_url column length limit of 200, which results in generating unusable broken links to the post.
It easily reaches to the limit, especially if the permalink contains url-encoded multibyte title as postname. (e.g. 23 characters of UTF-8 Japanese become a 207 characters long url-encoded string. Incomplete url-encoded string may trigger 400 Bad Request too.)
'''Solution:'''
In pingback(), use shortlink instead of regular permalink if the URL is longer than 200 characters.
It seems to work ok with wp.me shortlinks." tenpura
Future Releases 17737 Be better at forcing data types for query vars Query 3.0 normal normal Future Release defect (bug) new has-patch 2011-06-09T21:59:41Z 2015-09-15T22:54:46Z "I already email this flaw to security@wordpress.org but Andrew Nacin told me that this is not a WordPress flaw, but php server config flaw. So i post this here now.[[BR]]
----
''Exploit'' : http://WEBSITE.COM/?author[]=1 [[BR]]
''Problem'' : FPD (https://www.owasp.org/index.php/Full_Path_Disclosure) [[BR]]
''Solution'' : Add this ""@ini_set('display_errors', 0);"" or this ""error_reporting(0);"" in the end of wp-config.php file. [[BR]]
''Patch'' : [[BR]]
1) wp-includes/query.php line 2239 [[BR]]
Replace
{{{
$q['author'] = (string)urldecode($q['author']);
}}}
by
{{{
if ( is_array( $q['author'] ) ) {
$q['author'] = $q['author'][0];
}
$q['author'] = (string)urldecode($q['author']);
}}}
2) wp-includes/canonical.php line 142 [[BR]]
Replace
{{{
} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
}}}
by
{{{
} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', !is_array($_GET['author']) ? $_GET['author'] : $_GET['author'][0] ) ) {
}}}
[[BR]]
'''Julio''' - [http://www.boiteaweb.fr]" juliobox
Future Releases 17268 Use native gettext library when available I18N normal normal Future Release enhancement new has-patch 2011-04-28T11:32:30Z 2016-08-17T14:57:59Z "[http://codex.wordpress.org/Translating_WordPress Here] you say that the GNU gettext-Framework is used. Exactly, ""pomo"" (file: wp-includes/l10n.php) is a complete own php-implementation of the gettext-program.
I've added a patch to solve this problem. Maybe it is not very good, but it works. On my wordpress-sites, the used php-memory returns from about 65% to about 12% and the site is running much faster when patching wp-includes/l10n.php.
I know that gettext is not available on every wordpress-installation, but when it's available, it should be used.
Sorry for my bad english, I'm german." linushoppe
Future Releases 16839 Category Base Should be Slugified Rewrite Rules 3.1 normal normal Future Release defect (bug) reviewing 2011-03-12T21:42:52Z 2015-12-03T17:57:09Z "Vanilla install of 3.1. Change category base to Foo Bar. Link generated is example.com/Foo Bar/cat (note the %20/space). Clicking link tries to access /FooBar/cat and 404's.
I see there are a few other tickets regarding categories, including #16662 but no specific mention of custom category base.
" miklb
Future Releases 16483 Visibility: password-protected exposes multiple pages Security 3.0.4 normal normal Future Release defect (bug) new dev-feedback 2011-02-07T19:02:15Z 2016-10-31T21:16:53Z "1. password protect a page ('protected') with a password
2. password protect another page ('thistoo') with the SAME password
3. visit 'protected' and enter the password. Page is visible
4. visit 'thistoo'; expected: prompt for password. What happens: Page is visible
Regardless of whether someone with a password has the right to try it in as many pages as they want (and would therefore successfully see the page if the passwords were the same), the user should still be prompted on a page-by-page basis. Global authentication to multiple pages is possible with user accounts and roles. It should not be possible with visibility: password-protected pages." monkeyhouse
Future Releases 16118 Support for wp_enqueue_style with negative conditional comments Script Loader 3.0.4 normal normal Future Release enhancement new dev-feedback 2011-01-06T06:18:40Z 2016-11-10T01:10:15Z "Please refer to #10891. It refers to the support for conditional comments using the global variable, wp_styles.
I have noticed that if you pass a negative conditional comment, however, this breaks. E.g. Let's say you have a lot of CSS3 rules, which don't apply to IE. You would not include that CSS:
{{{
}}}
I know that IE9 supports CSS3, but I am using the above for illustrative purposes. One would expect that to include the conditional comment above you would do this between the register and the enqueue commands:
{{{
$GLOBALS['wp_styles']->add_data('my-handle', 'conditional', '!IE');
}}}
If you add a conditional tag to wp_styles, however, the generated markup is incorrect:
{{{
}}}
Note the missing --> after [if !IE]>, and